Cyber Security and Resilience (Network and Information Systems) Bill (Seventh sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Kanishka Narayan
Main Page: Kanishka Narayan (Labour - Vale of Glamorgan)Department Debates - View all Kanishka Narayan's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Seventh sitting)
Kanishka Narayan Excerpts(1 day, 9 hours ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Chair
I thank the shadow Minister for getting those comments on the record. Would the Minister like to address those points?
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
I am happy to write to the hon. Member.
The Chair
The shadow Minister can keep us updated on whether that has happened.
New Clause 2
Register of foreign powers for the purposes of Part 4
“(1) For the purposes of informing action taken under Part 4 of this Act, the Secretary of State must, by regulations, establish and maintain a register of foreign powers that the Secretary of State believes present a risk to the United Kingdom’s critical network and information systems within six months of the passing of this Act.
(2) Foreign powers designated by the Secretary of State under subsection (1) must include states –
(a) which have been confirmed by GCHQ as having—
(i) perpetrated, or attempted to perpetrate, a cyber-attack in the UK in the preceding seven years,
(ii) targeted, or intended to target, that attack at the network or information systems of one or more operators of an essential service or critical suppliers, or
(iii) carried out, or intended to carry out, that attack through a state department, agency or affiliate group,
(b) which GCHQ has warned pose a risk to the security or resilience of the network or information systems of one or more operators of an essential service or critical suppliers.
(3) Regulations under this section are subject to the affirmative resolution procedure.
(4) In this section, ‘foreign power’ means–
(a) the sovereign or other head of a foreign state in their public capacity;
(b) a foreign government, or part of a foreign government;
(c) an agency or authority of a foreign government, or of part of a foreign government;
(d) an authority responsible for administering the affairs of an area within a foreign country or territory, or persons exercising the functions of such an authority; or
(e) a political party which is a governing political party of a foreign government. A political party is a governing political party of a foreign government if persons holding political or official posts in the foreign government or part of the foreign government—
(i) hold those posts as a result of, or in the course of, their membership of the party, or
(ii) in exercising the functions of those posts, are subject to the direction or control of, or significantly influenced by, the party.”—(Dr Ben Spencer.)
This new clause would require the Government to maintain a register of state actors posing a threat to UK cyber security for the purposes of exercising the Secretary of State’s powers under Part 4 of the Act, which enable the giving of directions in the interests of national security.
Brought up, read the First time, and Question proposed (10 February), That the clause be read a Second time.
Question again proposed.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
In our previous sitting, the hon. Member for Runnymede and Weybridge set out clearly the cyber-threat posed by China, and argued that, through new clause 2, China should be explicitly recognised as a foreign power presenting a significant risk to the United Kingdom. He rightly highlighted the precedent in UK legislation for maintaining registers of hostile or high-risk state actors to protect national security. I agree that Parliament should be unequivocal in recognising the Chinese Communist party as a strategic cyber-threat, particularly given evidence of state-linked cyber-espionage, infrastructure compromise and the targeting of critical national infrastructure.
We have seen data from the Cabinet Office last week indicating that the Government plan to drastically reduce the integrated security fund spending on domestic cyber and tech to counter cyber-attacks. It will be cut from £113.3 million to £95 million by 2028-29, which is a reduction of 16%. Domestic spending to counter Russian threats in the same period will incur a drop of more than 20%. Those reductions leave us dangerously exposed and are in direct opposition to the Government’s promises to support the UK’s national security priorities. New clause 2 offers the chance to identify and monitor state actors that pose a threat to UK cyber-security.
The register must also reflect the evolving nature of cyber-risk. Threats do not arise solely from formally hostile states, but also from jurisdictions where hostile cyber-actors operate at scale, using digital infrastructure to target UK systems and citizens. We have seen that in countries such as India and Nigeria, where organised cyber-criminal networks have run sophisticated international operations against the UK, exploiting cloud services and telecommunications infrastructure. In India, law enforcement has dismantled major cyber-crime hubs linked to international targeting, including operations specifically affecting large numbers of British victims.
In 2025, the National Crime Agency worked in partnership with India’s Central Bureau of Investigation to raid an organised crime group in Uttar Pradesh, which had targeted more than 100 UK citizens with pop-ups stating that their devices had been compromised, losing them more than £390,000. That is not only an unacceptable financial loss for our citizens, but a significant waste of resources. In Nigeria, long-established cyber-criminal networks continue to conduct large-scale digital fraud campaigns aimed at overseas targets including the United Kingdom. Interpol’s Operation Serengeti in 2025 tackled high-impact cyber-crimes in Nigeria and 17 other nations, arresting 1,209 suspects and recovering nearly $100 million that had been stolen through cyber-fraud.
Although these states might not be hostile in a geopolitical sense, hostile cyber-actors operating within their borders are none the less inflicting sustained harm and placing heavy burdens on our cyber-defence and law enforcement resources. I support the aims of new clause 2, but urge Ministers to ensure that the framework is flexible enough to capture not only hostile states but jurisdictions that consistently serve as bases for large-scale hostile cyber-activity. Data from the Cabinet Office shows that integrated security fund spending on Russia is set to fall over 20% between 2026 and 2029, which shows that the Government are not taking threats from Russia, or other hostile nations, seriously enough.
Kanishka Narayan
It is a pleasure to serve with you in the Chair, Ms McVey.
I thank the shadow Minister, the hon. Member for Runnymede and Weybridge, for the new clauses in his name, which would require the Secretary of State to create a register of foreign powers that pose a threat to UK cyber-security, to review that register, and to lay a report before Parliament. This is intended to inform the use of powers granted under part 4 of the Bill. I empathise with the shadow Minister’s concerns that hostile foreign actors could target the network and information systems of operators of essential services or critical supplies. That is a clear risk, and one that we are addressing through the Bill.
As drafted, the Bill grants the Secretary of State new powers to issue national security directions to regulated entities or regulators where their compromise poses a national security risk. So long as those tests are met, the powers may be used by the Secretary of State irrespective of the actor that is causing the national security incident or threat.
New clause 2 would require the creation of a register of foreign states that pose a risk to the UK based on GCHQ advice. I reassure the shadow Minister that regardless of the proposed new clause, any decision to use the powers in this part of the Bill will be informed by expert national security advice from GCHQ. As a result, it is unclear what additional support the proposed register would provide to the Secretary of State when, for example, deciding whether to issue a direction to a regulated entity.
Additionally, the report required by new clause 3 would effectively be a list of the vulnerabilities of the network and information systems of our essential services, and would therefore be an asset to malicious actors. That would be counterproductive to national security. The new clause would allow the Secretary of State not to publish part or all of the report, if publishing would be contrary to the interests of national security. However, it is unclear how even part of the report could be published without harming national security, given its intended content.
Drafting a report of vulnerabilities that cannot be disclosed to Parliament without harming national security would simply duplicate existing assessments, and run the risk of distracting Government from more effective measures to protect from hostile foreign actors. That is not to say that we shirk transparency about these kinds of risk. The Government are already able to communicate with Parliament and the public about such cyber-security risks where it is appropriate to do so, through things such as the National Cyber Security Centre’s annual report and advisories. I therefore kindly ask that the shadow Minister withdraw the new clause.
I thank the hon. Member for Henley and Thame for the Liberal Democrat new clauses in his name, which would require the Secretary of State to publish a statement of how the Government intend to address risks posed by foreign actors to UK network and information systems, and to assess how many entities regulated by the NIS regime are owned in part or in full by foreign states.
Let me reassure the hon. Member that the Government take the risks posed by foreign interference seriously. The NCSC’s annual reviews continue to highlight cyber-risks to the UK from foreign actors, as well as measures to mitigate those risks. We have robust processes for assessing such threats, drawing on the expertise of the intelligence community, including the National Cyber Security Centre and the National Protective Security Authority.
The measures introduced by the Bill will boost the security and resilience of network and information systems across essential services, managed services and relevant digital services, protecting them from the risks of foreign interference. Where that is not enough, the Bill provides a backstop: the new direction powers in the Bill will enable the Government to protect our critical services from exactly those kinds of national security risks. We will be able to require a regulated entity to undertake any action that is necessary and proportionate for national security in response to the threat of a compromise. Conducting assessments of the ownership structures of the many thousands of in-scope entities within six months would be disproportionately resource intensive, distracting Government from more effective measures to protect our services.
Publishing a review identifying national security risks caused by foreign state ownership, or assessing whether our powers are adequate, as the Opposition’s new clause 3 would require, would provide valuable insight to our adversaries. As I have previously set out, there is a clear pathway for Government to communicate with Parliament and the public about such cyber-risks where it is appropriate to do so, but where we identify specific concerns, it is right that we retain the ability to assess and respond without disclosing our conclusions to those who might exploit them.
Finally, it is worth pointing out that, as drafted, new clause 13 is not aligned with the intended scope of the Bill. The Bill is solely concerned with entities that are currently, or could one day be, regulated under the NIS regulations. This new clause would require a statement on the risks posed to all UK network and information systems, which is a significant broadening of the scope of NIS-regulated entities and sectors. Similarly, the focus on Government procurement seems outside that scope, given that Government network and information systems are not wholly regulated by the Bill. For those reasons, I ask that the hon. Member for Henley and Thame kindly consider not pressing his amendment.
Dr Spencer
I am grateful to the Minister for his response, but we have seen over the past six months, especially with the alleged spying incidents in Parliament, the Government’s resistance to recognising the Chinese Communist party as a threat. When it comes to our new clause 3 and concerns over transparency, we have also seen, in the last few weeks, that there are mechanisms—for example, the Intelligence and Security Committee—to ensure the disclosure of documents, while preserving national security. I would therefore like to press new clauses 2 and 3 to a vote.
Question put, That the clause be read a Second time.
Dr Spencer
I thank my hon. Friend for his intervention, which is more for the Minister and the Government Whip’s benefit than mine.
Properly established ISACs will not only increase real-time awareness of cyber-risks and mitigations, but could also alleviate some of the burden on regulators in terms of sector-specific intelligence analysis. Industry feedback and experience from the adoption of the Network and Information Systems Regulations 2018 indicate that sectoral regulators are unlikely to have the capacity to assist with intelligence sharing in relation to real-time cyber-risks.
We know from the sectoral regulators’ oral evidence that building sufficient capacity for effective regulatory oversight is a challenge. Where we have models for sector-led and market-led good practice in hardening cyber-resilience, we should look at how it can be rolled out further. Seeing more of these organisations emerge could even lead to broader adoption beyond NIS-regulated areas to other industries. ISACs have the potential to become integral nodes in improving whole-of-society cyber-resilience, and it is an approach called for by many cyber industry stakeholders. I therefore commend new clause 4.
Kanishka Narayan
I thank the shadow Minister for this amendment, which would require the Secretary of State to review how information sharing and analysis centres support the functioning of the NIS regime and what steps the Government can take to improve them.
I recognise the intent of this new clause. These centres play a key role in promoting collaboration and co-ordination in the cyber-security space, allowing organisations to share information, intelligence and best practice. In fact, the UK already benefits from a range of such initiatives, many of which are facilitated by the National Cyber Security Centre. In its latest annual report, the NCSC noted that more than 200 companies now meet regularly in trust groups to exchange intelligence and best practice, and to support each other in incident response. NIS regulators also support organisations to share information with each other in sector-specific groups.
However, while I fully endorse the value of those initiatives, I do not believe it is the Government’s role to review how they operate or to mandate how or where they are established. Such centres are meant to be a forum in which organisations can voluntarily engage in the exchange of information. As such, they operate most effectively where the initiative for participation comes from the organisations themselves or from technical authorities such as the NCSC.
The Government are, of course, committed to ensuring that the information-sharing provisions within the Bill are effective, and that will be assessed through the formal review of the legislation already required under clause 40. I kindly ask the shadow Minister to withdraw the new clause.
Dr Spencer
In response to the Minister’s comments, clause 40 is about a review; it does not provide any direction, other than for the Secretary of State to do their job in reviewing this area. I will press new clause 4 to a vote.
Question put, That the clause be read a Second time.
Dr Spencer
I agree about the importance of putting things on the record. Since the hon. Member obviously has not been listening to my speech, he can check it out on the record. I acknowledged the challenges in this area—[Interruption.] Does the Government Whip want to intervene, or was she just chuntering? I will continue.
Given that the Bill puts quite a burden on the private sector, as we discussed over several sittings before the parliamentary recess, I think it is important that the Government recognise, as my hon. Friend the Member for Spelthorne said, it would be pretty shameless not to vote for accountability for themselves while putting it on other people. Let us see how the vote goes. I commend new clause 5 to the Committee.
Kanishka Narayan
I thank the shadow Minister for moving new clause 5, which seeks to require annual reporting on progress towards meeting the recommendations of the National Audit Office’s report on Government cyber-resilience and meeting the implementation milestones of the Government’s cyber action plan.
We recognise the value of accessing the expertise of Parliament to hold the Government accountable for the changes required for our cyber-resilience. That is why, notwithstanding the hon. Member for Spelthorne acknowledging the embarrassment of the Conservative party owning its hypocrisy, this Government have already strongly welcomed the recent reports from the Public Accounts Committee and the National Audit Office on Government cyber-resilience.
Chris Vince (Harlow) (Lab/Co-op)
I declare an interest as a member of the Public Accounts Commission, which regularly scrutinises the National Audit Office. Can the Minister give some reassurance to Labour Members, who are being accused of hypocrisy, that we do make sure that the highest levels of cyber-security are met?
Kanishka Narayan
My hon. Friend is right. Where the Conservative party did absolutely nothing and continues with its hypocrisy, I am glad to inform hon. Members that this Government have already adopted a duty to provide biannual reporting on progress against the recommendations of these two reports.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
New clause 5 simply asks the Government to commit to reporting back on meeting the milestones they have set themselves for increasing cyber-security standards. Is the Minister confident in the Government’s ability to deliver on their cyber strategy, or is the document not worth the paper it is written on?
Kanishka Narayan
I simply repeat my prior sentence: this Government have already adopted a duty to provide biannual reporting on progress against the recommendations of these two reports.
In addition, the Government’s cyber action plan was published in January this year. It sets out how the Government will rapidly improve the cyber-security and resilience of public services to deliver a step change in cyber and digital resilience across the public sector. The plan sets out clear accountability structures to ensure that cyber-risks at all levels of Government are actively owned and effectively managed, with those responsible held to account.
Alison Griffiths
The continued use of legacy IT equipment is a particular vulnerability across the Government estate. That will take some time to address entirely, but is there a strategy in place to prioritise the upgrading of this legacy equipment, given that it is one of the greatest areas of exposure?
Kanishka Narayan
The hon. Member makes a very important point. We have heard of two major sources of risk from a cyber point of view: legacy technology and technology debt, and frontier AI attacks. The Government’s cyber action plan is not technology-specific, but both those sources of risk are very much on my mind, and I will make sure they are also on the mind of those implementing the Government’s cyber action plan.
I assure Members that we will continue to work with Parliament to support oversight of the plan’s implementation and to explore additional avenues for scrutiny of the Government’s cyber-resilience to guarantee the right level of accountability. I therefore kindly ask the shadow Minister to withdraw his new clause.
Question put, That the clause be read a Second time.
Dr Spencer
This new clause, tabled by the hon. Member for Brecon, Radnor and Cwm Tawe, would require the Secretary of State to consult and report within one year on whether regulatory authorities and regulated persons have sufficient resources and capabilities to meet their statutory obligations. Historical levels of regulatory oversight and enforcement in relation to the NIS regulations 2018 have fallen short of what is necessary to achieve meaningful cyber-resilience across regulated sectors. The second post-implementation review of the NIS regs 2018, conducted in 2022, found that incident reporting on the part of regulated entities was very low, with only 13, 12 and 22 NIS incidents reported in 2019, 2020 and 2021 respectively.
A review conducted by the Worshipful Company of Information Technologists identified a near total absence of formal financial sanctions under the NIS regulations, with zero confirmed major penalties from 2021 to 2024. The model has not been conducive to effective discharge of regulatory responsibilities, with knock-on effects for cyber-resilience and regulated industries, yet regulators will be expected to oversee a far larger pool of regulated bodies and process a far larger number of incident reports under the Bill’s provisions. It is therefore right for us to scrutinise carefully whether regulators are in a position to meet these obligations.
In the evidence sessions, many of my questions to witnesses, including those from Ofgem, Ofcom and the Information Commissioner’s Office, focused on their preparations to meet the demands of their expanded roles. It was clear from feedback that although regulators understand what they need to do to prepare, the practical challenges associated with securing sufficient resource are far from resolved. I would therefore be grateful if the Minister could clarify his plans to review regulators’ progress and what the key milestones will be to ensure that regulators can discharge their new duties alongside their existing ones when these provisions come into effect.
Kanishka Narayan
I thank the hon. Member for Brecon, Radnor and Cwm Tawe for his new clause, which seeks to require a consultation on the resourcing and capabilities of regulators and regulated entities, assessment on whether additional Government support is needed, and a report on the findings. I reassure the hon. Gentleman that the Bill was developed in close collaboration with regulators and industry to ensure that regulators have the right information and tools to implement it.
The Bill already requires the Government to produce two regular reports to monitor the effectiveness of the legislation, and those would naturally include reviews of whether resourcing and capability were impacting on the effectiveness of the regime. The first of those is the annual report on regulator activities in relation to the statement of strategic priorities. The second is the report on the operation of the legislation, which must take place at least every five years.
Lincoln Jopp
While we are talking about resources and the application of the Bill, I raise with the Minister that, on page 102 of the impact assessment, it states that the going rate for a contract lawyer is £34 an hour. To my mind, that is out by a factor of probably 10. In the 10 days since our last sitting, has the Minister had a chance to re-examine the impact assessment and discover whether that was a genuine error? That number gets multiplied many times in the impact assessment. Has he had a chance to look into that?
Kanishka Narayan
The hon. Member has made that point a couple of times before. I am happy to write to him about the calculations, so that he is able to understand the survey and the significant uplift on which the figures are based.
In response to the hon. Member for Brecon, Radnor and Cwm Tawe, given that the two reports can already include the topics addressed by his new clause, adding another report would risk confusing their purposes and increasing administrative burdens on those involved unnecessarily. The Government will not hesitate to adapt our support offering based on the findings of those reports. That will include using our flexible mechanisms—for example, updating our guidance to regulators, the statement of strategic priorities and the code of practice. Beyond that, we will continue to engage with regulators as the Bill is implemented, and consider whether any other means of improving regulators’ and regulated entities’ resourcing and capabilities are necessary and proportionate. For those reasons, I ask the hon. Member to withdraw his new clause.
Question put, That the clause be read a Second time.
Kanishka Narayan
New clause 14 would require the Government to establish a dedicated support service for small and medium-sized enterprises that are operators of essential services, relevant digital service providers, relevant managed service providers or critical suppliers. That would include provision of advice, technical assistance and recovery guidance following a cyber-incident. It is worth noting that the Bill exempts small and micro enterprises from the regulations as relevant digital service providers or relevant managed service providers. Although regulators can designate a small or micro entity as a critical supplier, very few are expected to meet the threshold for criticality in practice. Similarly, there are limited examples of small or micro operators of essential services.
Improving the cyber-security of our nation’s small and medium-sized businesses is important for the resilience of our wider economy. That is why the Government have developed a wide range of free tools, guidance and training to help those businesses implement cyber-security measures. Such tools include the recently launched cyber action toolkit, which provides small and medium-sized businesses with tailored advice and the offer of free 30-minute consultations with NCSC-certified cyber advisers. Report Fraud, a reporting service for cyber-crime and fraud, runs a 24/7 cyber business incident reporting line, with regional cyber-resilience centres across England and Wales also providing support for small and medium-sized businesses, including incident response and business continuity advice in line with NCSC standards.
I hope that reassures the hon. Member for Henley and Thame that there is already considerable support available for small and medium-sized entities. Considering that, a new dedicated service is unnecessary, and it could divert resources from existing Government and NCSC schemes and impact our efficacy. For those reasons, I hope he will withdraw the new clause.
Question put, That the clause be read a Second time.
Dr Spencer
New clause 16 would require active board oversight of security and resilience measures and accountability for board members where they fail in those oversight duties, whereas new clause 17 would require regulated entities to carry out proportionate, periodic testing of the security and resilience of their network and information systems, and provide the results to regulatory bodies upon request.
On board accountability, as we have already discussed in this Committee, the existing regulatory model under NIS regulations has not been sufficiently effective in driving up cyber-resilience standards to meet emerging threats. Board engagement is a key part of that, but the stat I quoted previously in this Committee indicates that engagement is going in the wrong direction. What assessment has the Minister made of the potential advantages and disadvantages of direct accountability in the adoption of effective cyber-resilience measures, based on a roll-out of the NIS2 regulations?
Proportionate testing of systems may be a useful tool in detecting and managing cyber-security risk. What consideration has the Minister’s Department given to how that topic should be approached in the Secretary of State’s code of practice?
Kanishka Narayan
I thank the hon. Member for Brecon, Radnor and Cwm Tawe for his new clauses. I will speak first to new clause 16, which seeks to require boards or equivalent management bodies of operators of essential services, relevant digital service providers, relevant managed service providers and critical suppliers to take specific measures to oversee the security and resilience of their network and information systems.
Board-level engagement is a necessary part of proactively and effectively managing cyber-risks. That is why we published the cyber governance code of practice last spring, as part of a wider package of action to support boards in more effectively governing digital risks to enhance their organisation’s cyber-resilience. More recently, the Secretary of State, together with the Chancellor, the Business Secretary, the Security Minister, and leaders of the NCSC and NSA, wrote to the CEOs and chairs of the UK’s leading organisations, asking them to make cyber-risk a board level priority.
I agree with the hon. Member that going further on board-level responsibility is necessary. That is why we will introduce security and resilience requirements in secondary legislation, following consultation. We will consult on proposals that are consistent with the NCSC’s cyber assessment framework, as we confirmed in our policy statement last year. The cyber assessment framework includes comprehensive measures on good cyber governance, including clear board level responsibility. It is important that industry is consulted on those measures, that they form part of a holistic package on security and resilience, and that they can be updated flexibly over time. We intend to consult on proposals for security and resilience requirements and wider implementation plans later this year.
New clause 17 seeks to require all organisations in scope of the Bill to test the security and resilience of their network and information systems. We agree that proportionate cyber-security testing is critical to identifying and mitigating vulnerabilities in systems and networks. Organisations in scope need to take appropriate and proportionate measures to manage risks to network and information systems on which they rely, and that can include testing of network and information systems. In particular, relevant digital service providers are already required to account for testing as part of their overarching security duty. Additionally, all regulators can use their powers to mandate testing by an inspector, or by the regulated entity, to verify compliance or investigate potential failures.
I reassure the hon. Member that we are going further. We will be updating and providing more detail on the measures that regulated entities need to take, as well as setting strategic objectives for regulators. As I have said before, our proposals for the security and resilience requirements in secondary legislation will be consistent with the NCSC’s cyber assessment framework, which includes measures on appropriate testing.
David Chadwick
Is the Minister aware that the financial services industry is required to conduct regular testing of its systems, and that sectors like aviation and nuclear have designated individuals in their security organisations who are responsible for overseeing those sorts of practices?
Kanishka Narayan
I thank the hon. Member for his point. I am also aware that the National Cyber Security Centre’s cyber assessment framework has very specific measures on appropriate testing as well. It already exists, and we want to make sure that it is an important part of specific security and resilience requirements in secondary legislation.
It is crucial that industry is consulted on the nature of any requirements related to testing. As mentioned, we intend to consult on the proposals later in the year. We will also issue a statement of strategic priorities for regulators, and will explore whether that is an appropriate vehicle for driving consistency in the behaviours of regulators in respect of their approach to testing for their sector.
Overall, any approach to going further on proportionate and regular testing must be developed alongside the full set of security and resilience requirements, and co-ordinated and communicated with a wider package of implementing measures. That will allow the impact of options to be assessed, and provide the industry with clarity on the overall approach, including how the components fit together.
The shadow Minister asked about the consideration of NIS2 requirements. We have looked at NIS2 provisions, and variability in member states’ implementation of it, as part of a wider set of considerations on which we will be consulting regarding secondary legislation on governance.
My hon. Friend the Member for Milton Keynes Central made an incredibly important point about security by design, which I very much take into account. The Government Digital Service is already working on a secure by design standard. We want to make sure that it is as robust as possible, and extend it across not just the public sector but parts of the private sector. I will make sure that security by design remains at the heart of the Government’s cyber action plan, as well as that of the private sector.
Emily Darlington
I thank the Minister for that commitment. Would he consider setting up a meeting between GDS and those MPs who have expertise in this area, so that we can share our expertise and reassure ourselves that this is going in the right direction and at the speed that is necessary?
Kanishka Narayan
My hon. Friend has extensive expertise, from which I benefit extensively. I will be keen to make sure that the Government Digital Service does so too.
In the light of those commitments, I kindly ask the hon. Member for Brecon, Radnor and Cwm Tawe not to press the new clauses.
David Chadwick
During the evidence sessions, numerous very knowledgeable witnesses called for these new clauses, so I will push them both to a vote.
Question put, That the clause be read a Second time.
Dr Spencer
I am a bit unclear about the hon. Gentleman’s intervention. The point I was making was that there is legitimate concern that people doing research into this area and doing threat assessments risk prosecution, so, across the whole of our society, that work is not being done. We have heard quite a lot of evidence from cyber campaigns about the benefits that changes to this law would make to the system, which is why we tabled the new clause. I commend new clause 19 to the Committee. I hope the Minister agrees that now is the time to address the issue.
I suspect that this will be my last, or penultimate, time speaking to the Committee, so I would like to finish by thanking Members on both sides of the Committee for a fun and, at times, robust debate over the past month. I thank the Chairs, the Clerks and all the teams working on the Bill—and Sophie Thorley from my office, who has done incredible research on the Bill.
Kanishka Narayan
I thank hon. Members for their new clauses; I recognise the strong feeling and thoughtful contributions about reforming the Computer Misuse Act.
I speak first to new clause 18, which seeks to place a duty on the Secretary of State to review whether amendments to the Computer Misuse Act could support the security and resilience of network and information systems used for carrying out essential activities. I assure the hon. Member for Runnymede and Weybridge that the Government remain committed to ensuring that the Act remains up to date and effective.
The Home Office is already conducting a review of the Computer Misuse Act, and is developing proposals that arise from its findings. That includes careful consideration of proposals to introduce a statutory defence that would allow researchers to spot and share vulnerabilities. It will provide an update as soon as the proposals are finalised. However, limiting a defence to only the sectors covered by the NIS regime would be impractical. Any package of workable defence would need to be broad enough to apply economy-wide.
New clause 19 raises the introduction of a statutory defence to the Computer Misuse Act. I acknowledge the strong sentiment regarding reform of the CMA. There is no doubt that UK cyber-security professionals play a significant role in maintaining the country’s overall security and resilience. Supporting them is vital.
I agree with the principle behind the new clause: that a defence to section 1 of the Computer Misuse Act could strengthen the resilience of network and information systems by allowing researchers to spot and share vulnerabilities. The Government are already conducting a review of the Computer Misuse Act, and we have made significant progress in developing a proposal for a limited defence to the offence provided for in section 1 of the Computer Misuse Act.
Andrew Cooper (Mid Cheshire) (Lab)
Many of us, on both sides of the House, are sympathetic to both new clauses. We heard very clearly in evidence sessions that the Computer Misuse Act, as it is today, has a chilling effect on the operation of the cyber-security industry in this country and on whether such companies want to locate here as opposed to other countries.
I absolutely hear what the Minister says about the Home Office developing proposals. I wonder whether he can set out a timescale for when those proposals are likely to be brought forward—whether he expects that to be in this parliamentary Session or the next one. The issue is clearly holding back the cyber-security industry in this country, and we would all like to see it resolved.
Kanishka Narayan
My hon. Friend is absolutely right to recognise the shared sense on the principle of reforming the Computer Misuse Act. Although I am not in a position to give him a specific timeline, I absolutely take into account his recognition that the work needs to proceed at pace. Having held an industry engagement recently on specific proposals, with more than 75 attendees from a range of cyber-security organisations, the Home Office is now reviewing specific feedback as a particular proposal. The question is not whether we will reform the Computer Misuse Act, but simply how.
Freddie van Mierlo
I am grateful to the Minister for his reassurances on the ongoing review of the Computer Misuse Act. On that basis, I would like to say that I will withdraw the new clause.
David Chadwick
Will the Minister clarify what he thinks ethical vulnerability research actually constitutes?
Kanishka Narayan
Sure. I would not wish to define it technically, but my understanding is that it is research aimed at ethical hacking. It is effectively trying to find vulnerabilities through simulated attack systems, which can broaden our understanding of risks and vulnerabilities and allow us to mitigate them accordingly.
I return to new clause 19. Limiting a defence to just the sectors covered by the NIS regime would be impractical; any proposal for a workable defence needs to be broad enough to apply across the economy. That is why we are making sure that, through the Home Office, we are working as promptly as possible to ensure a proposal that is strong in its safeguards to prevent misuse. Engagement, including with the cyber-security industry, is already under way to refine our approach.
Dr Spencer
We are a responsible Opposition and we are pleased to hear about the work that the Minister and his Department have been doing and about the shared purpose in getting this done and getting it right. Would he give us a bit more detail of the timescales and plans for public consultation? I understand that he has been doing some personal consultation in private, but will there be a public consultation? Given that the reform crosses two Departments, which Department will be taking it forward? What I am really looking for from him is a confirmation at the Dispatch Box that he is personally committed to getting this piece of work over the line during this parliamentary term.
Kanishka Narayan
I thank the shadow Minister for his recognition of our shared approach on this question. Reform of the Computer Misuse Act is led by the Home Office. I have given my personal commitment to ensuring that reform, but I will also write to him and members of the Committee with as much detail as possible on the timeline to ensure that we are moving fast on it.
In that spirit, I thank hon. Members for their work on this question of the amendment to the Computer Misuse Act and use this opportunity to thank you, Ms McVey, the entire Committee staff and hon. Members for their expertise and perhaps for their sense of fun as well. I thank all staff members, in particular the Bill team in the Department, which has been fabulous throughout the entire process.
Freddie van Mierlo
I beg to ask leave to withdraw the clause.
Clause, by leave, withdrawn.
Bill, as amended, to be reported.